In mid-2024, a coordinated attack campaign breached at least 160 Snowflake customer environments, including major brands such as AT&T, Ticketmaster, Santander, and Neiman Marcus.

The attackers, identified as UNC5537 or ShinyHunters, systematically exfiltrated terabytes of sensitive data, including PII, DEA numbers, event tickets, and metadata. The campaign escalated into extortion, with some victims, like AT&T, paying ransoms to prevent data leakage.

Initial Access & Credential Theft

The incursion did not exploit Snowflake's platform. Rather, the attackers relied on infostealer malware—such as Redline, Lumma Stealer, Vidar, Racoon Stealer, Risepro, and others—to harvest credentials from infected machines. Mandiant revealed that at least 79.7% of the compromised accounts were using credentials stolen in such campaigns, with infection dates stretching back as early as November 2020.

Those credentials, often reused across accounts and lacking multi-factor authentication, allowed direct access to customer Snowflake instances. Notably, a compromised contractor device, including repository and JIRA login information, became a key pivot point. This access allowed login to high-privilege accounts without MFA or conditional location checks, enabling rapid lateral penetration.

Reconnaissance & Lateral Extension

With valid credentials in hand, attackers logged into customer Snowflake accounts through SnowSight (web UI) or SnowSQL (CLI) with no MFA obstacles. Using Snowflake’s shared responsibility model, the intruders moved within customer environments with minimal detection. The attacker’s reach included configuration consoles, query execution layers, and data extraction interfaces—all without triggering platform or perimeter alarms.

Mandiant dubbed an internal reconnaissance utility "FROSTBITE" for collecting metadata and executing queries to understand schema, user roles, and consumption patterns.

Data Exfiltration & Extortion

Exfiltration unfolded quietly: attackers exported sensitive datasets over time, including metadata records from AT&T, ticket data from Ticketmaster, and customer information from Santander.

Attackers used a pipeline of SQL commands to stage and extract valuable data. Typical steps included:

• SHOW TABLES to enumerate available datasets

• SELECT * FROM to stage data exports

• CREATE TEMPORARY STAGE to prepare staging areas internal to Snowflake

• COPY INTO to move data into the stage

• GET to retrieve the data for exfiltration

These commands enabled exfiltration via Snowflake’s own infrastructure, bypassing external detection.

The threat actor then listed stolen data for sale on cybercrime forums and issued extortion demands to organizations. AT&T reportedly paid $370,000 to attempt to have data deleted. Subsequent investigations by Mandiant and CrowdStrike confirmed credential compromise was the root cause—not a Snowflake vulnerability or misconfiguration.

The campaign has been attributed to UNC5537, an organized financially motivated group with a history of targeted data theft and extortion. In late 2024, law enforcement arrested two suspects—Connor Moucka (alias Waifu) and John Binns (alias IRDev)—linked to the operation.

Breach Analysis

This campaign succeeded due to a confluence of gaps: credential reuse, lack of MFA enforcement, absence of network allow-listing, and over-reliance on default security posture. Infostealer malware persisted for years, reused passwords remained active, and dormant or demo accounts (often without MFA) provided easy entry points. Snowflake customers had not enforced stricter access controls or behavioural monitoring.

A hardened, offense-informed defense could have disrupted the breach at multiple phases. Enforcing MFA across all accounts, requiring conditional access based on IP or geolocation, rotating credentials regularly, disabling inactive accounts promptly, and instrumenting behavioral analytics for anomalous queries would have raised detection and response confidence. Additionally, extending data loss prevention and SIEM integrations into third-party access paths could have caught exfiltration attempts earlier. Post-breach, Snowflake issued hunting guidance and queries for suspicious client usage patterns, session anomalies, and data egress behavior.

Key Takeaways

The Snowflake breach underscores the importance of a holistic, identity-first security posture. Attackers don’t always need platform vulnerabilities. Instead, they leverage stolen credentials—and if MFA is missing, that is often enough for full compromise of critical cloud infrastructure. Detection must focus on anomalous user behavior within accounts, not platform-level threats only. This is the offense-informed mindset we train teams to adopt: think like a hacker, defend like a pro.


Quantum Armor continuously monitors for signs of malware-based credential theft and third-party leaks, alerting you before stolen access can be weaponized. Register for a free trial at qarmor.io.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.